pageok
pageok
pageok
Password Disclosure:

News.com reports:

A popular computer security Web site was abruptly yanked offline this week by MySpace.com and GoDaddy, the world's largest domain name registrar, raising questions about free speech and Internet governance.

MySpace demanded that GoDaddy pull the plug on Seclists.org, which hosts some 250,000 pages of mailing list archives and other resources, because a list of thousands of MySpace usernames and passwords was archived on the site....

In a move that Seclists.org owner Fyodor Vaskovich said happened with no prior notice, the company [GoDaddy] deleted his domain name--causing his site to be effectively unreachable for about seven hours on Wednesday until he found out what was happening and removed the password list.

"They didn't tell me why they removed the site," Vaskovich, creator of the popular Nmap security auditing utility, said in a phone interview. "At a very minimum, we should get warning." ...

For her part, GoDaddy general counsel Christine Jones defended the abrupt deletion, saying: "We tried to contact the registrant, but they were not available at the time. To protect the MySpace users from potentially having private information revealed, we removed the site." ...

Jones and Vaskovich, however, tell substantially different versions of exactly what happened.... Vaskovich provided CNET News.com with a log of correspondence from GoDaddy that corroborates his version of the story.... GoDaddy did not immediately respond to follow-up questions....

"Some people might feel safer with a registrar that's a little more pro-customer," [Miami lawprof Michael] Froomkin said.

There's certainly an important customer service question here; but I should also note that there's an interesting underlying First Amendment question that could have arisen in another context. Several states expressly outlaw the disclosure of computer passwords, even if the disclosure is done without the intention of helping criminals (and here it seems that Vaskovich didn't intend to help criminals, though when he learned of the post he probably realized that it may have the effect of helping some criminals):

Ark. Code § 5-41-206(a). A person commits computer password disclosure [generally a misdemeanor] if the person purposely and without authorization discloses a number, code, password, or other means of access to a computer or computer network that is subsequently used to access a computer or computer network.

Ga. Code § 16-9-93(e). Any person who discloses a number, code, password, or other means of access to a computer or computer network knowing that such disclosure is without authority and which results in damages (including the fair market value of any services used and victim expenditure) to the owner of the computer or computer network in excess of $500.00 shall be guilty of the [misdemeanor] crime of computer password disclosure [and shall be civilly liable to injured parties].

Kan. Stat. § 21-3755(c)(1). Computer password disclosure [a misdemeanor] is the unauthorized and intentional disclosure of a number, code, password or other means of access to a computer or computer network.

Minn. Stat. 609.8913. A person is guilty of a gross misdemeanor if the person knows or has reason to know that by facilitating access to a computer security system the person is aiding another who intends to commit a crime and in fact commits a crime. For purposes of this section, "facilitating access" includes the intentional disclosure of a computer password, identifying code, personal information number, or other confidential information about a computer security system which provides a person with the means or opportunity for the commission of a crime.Miss. Code § 97-45-5 (1). An offense against computer users [a misdemeanor] is the intentional ... (b) Use or disclosure to another, without consent, of the numbers, codes, passwords or other means of access to a computer, a computer system, a computer network or computer services.

Penn. Cons. Stat. § 7611(a). A person commits the offense of unlawful use of a computer if he ... (3) intentionally or knowingly and without authorization gives or publishes a password, identifying code, personal identification number or other confidential information about a computer, computer system, computer network, computer database, World Wide Web site or telecommunication device.

S.D. Codified Laws § 43-43B-1. A person is guilty of unlawful use of a computer system, software, or data if the person ... (3) Knowingly ... uses or discloses to another, or attempts to use or disclose to another, the numbers, codes, passwords, or other means of access to a computer system without the consent of the owner....

W. Va. Code § 61-3C-10. Any person who knowingly, willfully and without authorization discloses a password, identifying code, personal identification number or other confidential information about a computer security system to another person shall be guilty of a misdemeanor ....

If one of the states had jurisdiction over Seclists.org, and Vaskovich had kept the password list on the computer even after he knew it was there, would he be guilty under the relevant statute? Would the First Amendment protect his continued retention of the data on his computer? (I tend to think that the First Amendment would not protect this, for reasons discussed in Crime-Facilitating Speech, 57 Stanford Law Review 1095 (2005), but courts have not yet confronted the question.)

Thanks to BNA's Internet Law News for the pointer.

Bruce Hayden (mail) (www):
I love Prof. Froomkin's comment: "Some people might feel safer with a registrar that's a little more pro-customer".
1.26.2007 1:34pm
Ram:
IANAL. Is it really disclosure when you publish something that is well known even if it once had been a secret. Most of the NDAs I've read acknowledge that a public secret is not a secret.
1.26.2007 1:43pm
anonVCfan:
I'm missing something. How is the First Amendment involved when a private company takes another private company's website offline? Is it because of the way the Internet is managed?
1.26.2007 1:46pm
Ram:
anonVCfan,

"the way the Internet is managed"
myspace asked godaddy to remove (the very highly regarded) seclists.org from the Internet. The nature of godaddy's business includes having significant control over the existence of domain names (e.g. volokh.com, seclists.org) such that operationally they have the ability to erase their own customers from the internet.

I see the basic question as "is it ok for them to take erase one of their customer's entire internet presence."

I'm not a lawyer but it seems to me that the question comes down to ... can godaddy defend it's action given the nature of their service contract with their customer say against a lawsuite for violating service.
1.26.2007 2:12pm
anonVCfan:

I see the basic question as "is it ok for them to take erase one of their customer's entire internet presence."


Again, what does the First Amendment have to do with this? If you're protesting on the street corner and I smash your signs and steal your megaphone, I haven't violated your First Amendment rights unless I'm part of the government.
1.26.2007 2:16pm
Ram:
Do we have the protected right to disclose publically known compter access codes?
1.26.2007 2:20pm
Eugene Volokh (www):
anonVCfan: There's no First Amendment issue in GoDaddy's actions; I'm using this incident as a vehicle for suggesting a hypothetical: "If one of the states had jurisdiction over Seclists.org, and Vaskovich had kept the password list on the computer even after he knew it was there, would he be guilty under the relevant statute? Would the First Amendment protect his continued retention of the data on his computer?"
1.26.2007 2:50pm
18 USC 1030 (mail):
I would say GoDaddy did the only thing they could: they could not edit the site and damage the data. Rather, they pulled it offline until the offending material was removed, at which point it was put back online. I would assume there is something in the contract between GoDaddy and SecLists that states that GoDaddy can bring a site offline for certain reasons, one of which would probably include this. Either by the general "not in violation of any law" or by stipulating against publishing usernames and passwords of others.

I also don't see how a private company could violate the first amendment. Surely they could violate some statute; but can an individual violate the first amendment? Wouldn't this be like the 4th amendment where it only protects people from the state?
1.26.2007 2:52pm
anonVCfan:
Thanks, Prof. Volokh.
1.26.2007 2:58pm
Alex R:
I wonder if these laws might apply in any way to Bugmenot.com, which exists for its users to share passwords for accounts they have created on free, registration-required, websites.

Disclosure of the passwords is (presumably) authorized by the account creators, but is probably not authorized in most cases by the websites themselves...
1.26.2007 4:00pm
NickM (mail) (www):
Under most of those statutes, is this even covered? Is a Myspace account password a password to a network?

Nick
1.26.2007 5:07pm
Eugene Volokh (www):
That is indeed one of the questions -- if the password protects not access to the computer as such (because anyone can get access to the computer just by setting up his own account) but rather access to a particular account on the computer, would that violate the relevant statutes?
1.26.2007 5:34pm
Anthony A (mail):
AnonVCfan, there might be a First Amendment issue if the contractual grounds for the action was "engaging in illegal activity". If there is a FA defense to the crime, then the contract was not violated. Further, the company's action might be because of legal requirements for the protection of privacy, rather than contractual arrangements; in which case the FA may also apply.

What I don't get is why the domain-name registrar was contacted, instead of either the hosting company (it's not necessarily the same), or the site owner directly.
1.26.2007 6:45pm
Anthony A (mail):
A MySpace account password is a password to the MySpace network, or to portions of it. That's what a prosecutor would have to argue in AK, GA, and KS.

SD and WV say "computer system"; the password-protected parts of MySpace are definitely a computer system. PA statutes say "database", which is even clearer.

MN requires "means or opportunity for commission of a crime"; that's arguable, but likely to be provable.
1.26.2007 6:49pm
Toby:
[Enter Post Title Here]


Everyone is assuming a very bright line in the responsibilities of the registrar to the registrant without recognizing responsibilities of the registrant to the registrar. There are any number of reasons why the owner of a domain name is expected to be quickly available and responsive to inquiries. These include "Why are computers in your domain attacking other computers?" and requirements for contacts to notify about spam generation. The most basic of these is the inclusion of the RNAME in the DNS entry. The RFC defines RNAME as specifying the mailbox of the person responsible for this zone.

From the registration:
Registrant:
Insecure.Com LLC

370 Altair Way PMB 113
Sunnyvale, California 94086-6161
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: SECLISTS.ORG
Created on: 02-Oct-03
Expires on: 02-Oct-10
Last Updated on: 30-Dec-06

Administrative Contact:
Hostmaster, Seclists hostmaster-seclists@insecure.org
Insecure.Com LLC
370 Altair Way PMB 113
Sunnyvale, California 94086-6161
United States
6509894206

Technical Contact:
Hostmaster, Seclists hostmaster-seclists@insecure.org
Insecure.Com LLC
370 Altair Way PMB 113
Sunnyvale, California 94086-6161
United States
6509894206

Notice that the in this case, the addresses are not personal, but generic. All inquiries, requests, security should be answered promptly by one of these addresses. There are response time defined in most registration agreements. Were they met?

Note that because spammers were harvesting registration addresses, more and more people hide or occlude these addresses, so this part of the domain registration is breaking down. It is not clear if, in the absence of answers to emails sent to the addresses of record, GoDaddy has any responsibility to SecLists.
1.27.2007 11:45am
Splunge (mail):
if the password protects not access to the computer as such (because anyone can get access to the computer just by setting up his own account) but rather access to a particular account on the computer, would that violate the relevant statutes?

You're suggesting these laws were designed to protect the computer hardware owner against the possibility of someone using the hardware without his permission. Like protecting a car owner against someone else driving the car without the owner's permission.

I doubt that. I think these laws were designed to protect the computer account owner against someone gaining access to his personal information without his permission. The value of personal information stored on a computer typically hugely exceeds the value of the hardware itself, or its rental, and people -- even legislators -- typically feel quite strongly about protecting their privacy by limiting who can gain access to what's on their "particular account".
1.27.2007 3:59pm
Splunge (mail):
Oh, and as for Vaskovich, he's arguing in the court of (semi)public opinion because he doesn't have a ghost of a chance elsewhere. His contract with GoDaddy explicitly forbids him doing anything as obnoxious as putting up a list of MySpace passwords, and gives GoDaddy the right to terminate his service instantly the moment they find out he has (or indeed, as the article points out, for any other reason they find sufficient and compelling). They're not obligated to even try to contact him first.

Indeed, the fact that they resumed his service at all, after he'd taken off the offending material, is mighty generous of them. Most DNS servers would have told him to take his business elsewhere in the future, after such a crass violation of the terms of service, not mention common sense.
1.27.2007 4:11pm
Darwin (mail) (www):
Splunge: His contract with GoDaddy explicitly forbids him doing anything as obnoxious as putting up a list of MySpace passwords ... after such a crass violation of the terms of service, not mention common sense.

You don't seem to understand how the internet works... in this case, Vaskovich didn't post the list.

As the cited article says :

... Seclists.org, which hosts some 250,000 pages of mailing list archives and other resources... a list of thousands of MySpace usernames and passwords was archived on the site. ...
until he found out what was happening and removed the password list.


In other words, one of the *users* of the "mailing lists" or "other resources" posted the list on his site, which is a public forum. While Vaskovich is certainly liable for all uses of his site, it is hardly "obnoxious" or "crass" for him to provide a service which others might misuse... unless you feel anyone who provides a forum on the internet should be monitoring all of its content 24/7/365 while strictly evaluating it for illegality.

Crass and obnoxious, indeed..

=darwin
1.27.2007 8:14pm
Eugene Volokh (www):
Splunge: I'm just asking how the laws would be applied to this situation, given their specific wording.
1.27.2007 8:34pm
Rick Wilcox (www):
Splunge:
I'm trying really hard to find the section of the GoDaddy domain registration contract that states that a website that archives security-based mailing lists like fulldisclosure can have its DNS entries changed because of the content of a post on a mailing list that the site archives, but does not control. I just got finished reading the ToS and I can't find anything outside of the "morally objectionable activities" clause (below) that implies that GoDaddy considers it a breach of contract to archive a public mailing list.

The "morally objectionable activities" clause (as part of Section 7, "Restriction of Services; Right of Refusal") reads:
Go Daddy may also cancel the registration of a domain name, after thirty (30) days, if that name is being used, as determined by Go Daddy in its sole discretion, in association with spam or morally objectionable activities. Morally objectionable activities will include, but not be limited to: activities designed to defame, embarrass, harm, abuse, threaten, slander or harass third parties; activities prohibited by the laws of the United States and/or foreign territories in which You conduct business; activities designed to encourage unlawful behavior by others, such as hate crimes, terrorism and child pornography; activities that are tortious, vulgar, obscene, invasive of the privacy of a third party, racially, ethnically, or otherwise objectionable; activities designed to impersonate the identity of a third party; and activities designed to harm or use unethically minors in any way.

In order for this clause to be correct to its verbiage, doesn't GoDaddy need to be able to show (even under the "sole discretion" wording) that Vaskovich himself intended for MySpace passwords to be leaked on his site? I guess they could always argue that "archiving the fulldisclosure mailing list" was an "activity designed to encourage unlawful behavior by others", even though his site is devoted to the discussion of hacking as a method of learning about security vulnerabilities and fixing them.

Mr. Volokh:
I'm wondering if my question on the matter is the same as yours - does "knowingly having/archiving/retaining the already-disclosed data publicly" equate to "disclosing the data"?
1.28.2007 9:49pm
Rick Wilcox (www):
To add to my previous question, does Vaskovich's retention of the data, or disclosure of other ways to find the MySpace password list (here) carry any further weight towards the act of "disclosing" crime-facilitating information than the URLS to potentially crime-facilitating websites in your own paper, or if I were to publish links to academic cryptanalysis papers that showed how certain deployed versions of particular ciphers are unnecessarily crippled by their employers and are thus susceptible to extremely swift attacks?
1.28.2007 10:00pm
Apodaca:
18 USC 1030 writes:
I would say GoDaddy did the only thing they could: they could not edit the site and damage the data. Rather, they pulled it offline until the offending material was removed, at which point it was put back online.
I think I disagree with just about all of this. First, it's not at all clear whether GoDaddy actually tried to contact whoever operates the web servers on which the relevant info was stored. (It's unclear whether Vaskovich has his own servers or uses a commercial hosting service.) This is pretty relevant, especially since...

In nulling out the DNS record for seclists.org, GoDaddy did not "pull[ the offending data] offline." As far as I can see, what they did was simply mess with the authoritative DNS records, meaning that

1) plenty of people out in the world could still access seclists.org for a time, thanks to DNS caching, and

2) the data was still publicly available, even to users for whom the domain name would not resolve. (Hint: I can access a website if I know its IP address regardless of whether it has a working domain name.)
1.29.2007 11:58am
Rick Wilcox (www):
Apodaca:
Don't forget that SecLists.org only had the data because of their archiving of the fulldisclosure list, which is run by grok.org.uk. The only people affected by the DNS shunt were those who rely on SecLists.org for fulldisclosure postings.
1.29.2007 8:36pm